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Why forensics? 
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To know how the attacker works 
To acertain the loss 
To identify the attacker 
preservation of evidence 
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Who are the attacker? 



Hacker/Cracker 

- Just for fun 

- Politically motivated 

- financially motivated 

Staff members 

competitors 

Intelligence 
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Quality of the attacks vs. needed know how 
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email propagation of malicious code 



“stealth’Yadvanced scanning techniques 



widespread attacks using NNTP to distribute attack 



widespread attacks on DNS infrastructure 



executable code attacks (against browsers) 

automated widespread attacks 

GUI intruder tools 

t 

hijacking sessions 

t 

Internet social 
engineering attacks 




packet spoofing 



automated probes/scans 



techniques to analyze 
code for vulnerabilities 
without source code 



sophisticated command 



antiforensic techniques 

1 



increase in wide-scale 
Trojan horse distribution 



Windows-based 
■ remote controllable 
Trojans (Back 
Orifice) 



S 



1990 



Intruder Knowledge 



2003 



Quelle: CERT 
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Basic questions 



• What was happened? 

• Where? 

• When? 

• How? 

• Who? 

• Why? 
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Forensic process 

• alert or incrimination 

• Cost / benefit equation 

• Secure „site of crime" very difficult for the Internet 

• Collect evidence (photograph, document) 

• Protect evidence verifiable against modification 

• Analyse data 

• Appraisal of results 

• Documentation and presentation of the results 

• Testimony at court 
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• order 

- Cache, RAM 

- Temporary files, actual state of the network, running 
processes 

- Hard disks 

- Floppy disks, CD/DVD-RW, USB-devices, ... 

- CD/DVD-R, paper 

• Save the data to a forensic workstation 
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Tools (1) 

* From trustable source 

• bootable CD/DVD (HELIX, FIRST) 

* Unix/Linux 

- dd, cp, cat, Is, ps, strings, find, file, bash, 
grep, less, vi, ifconfig, kill, nc/netcat, tcpdump, 
arp, df, diff, du, last, Ismod, md5, shal, 
netstat, rpcinfo, showmount, top, uname, 
uptime, who, fdisk, 

• Windows 

- Foundstone (z.B. FPort), Sysinternals 
(z.B. Handles, PsList) ... 
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Tools (2) 



• Encase 



File Edit View Tools Help 

j New ^'Open J Save Print Add Device ^Search ^ Logon ; Refresh Show Excluded Show Deleted X Delete View History 
Email/Internet Search f 



^ Cases A Text Styles X 


J Table □ Report Galery ^ Timeline O Disk • - Code 


^History ^ WebCache Q D' 4 ► 




Name 


URL 


Host 


User 


Visit 

Count 


First 

Date 


A 


E^-OQ History 

1^-CO Q Internet and Email 


16 




http : //start . moalla . org/f iref ox?di start . mozilla . org 


PC User 


6 02/04/05 04:07:42PM 




□ 17 




http : // webmad . netscape . com/_cc webmail . netscape . com 


PC User 


2 02/04/05 04:08:28PM 








-CQ Li admnistrator 

-DO O Reject 
— CQ O P c ^er 
-CQ O secjre user 
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http : // webmail . netscape . com/mst webmail . netscape . com 


PC User 


2 02/04/05 04:12:58PM 








Q 19 


$ 


http : //webmail . netscape . com/ms< webmail . netscape . com 


PC User 


2 02/04/05 04:08:47PM 








□ 20 




http : // webmad . netscape . com/con webmail . netscape . com 


PC User 


2 02/04/05 04:13:25PM 








□ 21 




http : // webmail . netscape . com/con webmail , netscape . com 


PC User 


8 02/04/05 04: 16:42PM 




E 


K 


-CQ ti Simple User PW 123 
Q £3) Mozilla 
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http : //webmail . netscape . com/m* webmail . netscape . com 
http : //webmail . netscape . com/mst webmad .netscape . com 


PC User 
PC User 


2 02/04/05 04:12:30PM 
2 02/04/05 04:10:58PM 








[— CQ O PC Us er 
L-cQ O Secure User 


□ 24 
Q25 


0 


http : //webmad . netscape . com/m* webmail . netscape . com 
http : // webmad . netscape . com/ _cc webmad , netscape . com 


PC User 
PC User 


8 02/04/05 04:14:08PM 
2 02/04/05 04:08:28PM 


V 


taH-L Q^era 


< 




! 








> 




SJ T«* 


[JHex J Report VJ Console Lock 0/15931 








'”1 


► 


URL: http:/A^ebmail.netscape.com/msgview.adp?folder=SW5ib3g=&uid=223796 

Host: webmail.netscape.com 

User: PC User 

Visit Count: 2 

First Date 02/04/05 04: 1 2:58PM 

History Path: Internet and Email\Active\Documents and Settings\PC User\Appli cation Data\Mozilla\Firefox\ 

Profi Ies\03fb4udv.default\hi story dat 


ih 

o 



Internet\Internet and Email\Active\Documents and Settings\PCUser\ApplicationData\Mo 2 iBa\Fi... \Nstory.dat (PS 1919634 LS 1919571 CL 479892 SO 358 FO5990 LEO) 
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Tools (3) 



Forensic Tool Kit 
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Site of crime 
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Keep cool! 
decisions 

- Turn off the System or not? (memory, 
Processes) 

- Plug off the network? (network connections) 

Photograph and document everything 
Save the evidence 
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Site of crime 
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Printer CPU Location Telephone Diskettes 




Software Counterfeit 

Documents 



Monitor 



Keyboard 
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Volatile data 
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• RAM 

- dd bs=1 024 < /dev/kmem | netcat -w 2 
[target-1 P] 1234 

• Network connections 

- Netstat -an | netcat -w 2 [target- IP] 1234 

• miscellaneous 

- last, who, w, ps, Isof, arp, ... 

• External sources: Logserver, Firewall-, 
Intrusion Detection and Router-Logfiles 
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Non-volatile data 
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• Create checksum of the data (shal Oder md5) 

• Create a Bit-by-Bit copy of the source 

• Create checksum of the copy and compare it with 
the original 

• Why 1:1 Image and not a simple copy? 

• File Slack (not completely written cluster) 

• no modification of the access times (MACtimes) 

• • M - mtime: change of the content 

• • A - atime: last read access 

• • C - ctime: change of the Inode (rigths, owner) 
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Forensic copy 
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• Writeblocker 

- Hardware 

- Software 

• requirements 

- Creation of a bit-stream-duplicate or an image from 
an original hard drive/partition 

- No modifications on the original hard drive or partition 

- Read/write errors have to be logged 

- Documentation must be complete and correct 
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Questions for the examination 
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• What was saved on the hard disk? 

• What traces did the applications leave? 

• What files were deleted? 

• Are there hidden files? 

• Are encrypted files or scopes on the disk? 

• Subsist hidden partitions? 

• Subsist backdoors or remote admin tools? 
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Analysis 

Search and examine all log files 

Search for particular keywords 

Examine all relevant data 

Identify not authorised user and group accounts 

Identify suspect processes 

Check unauthorised access 
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Presentation 
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Present not only findings ... 

- But rather how you did it 
Show the rules and standards you have used 
Substantiate the conclusions 
And alternative explanatory models. 
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Criminal prosecution 

Who makes the decision? 

Criminal or private law 
Complaint of an offence 

- Will you do it? 

- Who can do it? 

Site of crime principle 

- Where is the offender? 

- Where arose the damage? 

Collection of evidence (own team or police 
authorities)? 
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Limitations by antiforensics 
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If you would like further Information about ELAMAN, 
or would like to discuss a specific requirement or project, please contact u$ at: 

Elaman GmbH 
German Security Solutions 
Seitzstr.23 
80538 Munich 
Germany 

Tel: +49-89-24 20 91 80 
Fax: +49-89-24 20 91 81 
info@elaman.de 
www.elaman.de 






